Why hacked companies like Uber should not pay ransoms

When a company gets hacked, there is a short decision-making timeframe of about 24 hours in which it must decide whether to disclose to regulators the data breach or play ball with the antagonists.

If $100,000 doesn’t seem like much for the personal information of more than 50 million people, that’s the point. According to Archie Agarwal, CEO at ThreatModeler a cybersecurity defense firm, hackers have learned to manage their own expectations.

“Ten years ago, a hacker stole an entire database from a university, encrypted it, and said ‘give me $10 million,” Agarwal told Yahoo Finance. “They said no. Had that guy asked for $200,000, he actually would have got the money.”

FILE PHOTO: A man arrives at the Uber offices in Queens, New York, U.S., February 2, 2017. REUTERS/Brendan McDermid/File Photo

The price is usually right

According to Agarwal, hackers have gotten smarter, weighing the costs of legal fees, fines, and reputational damage and trying to make things affordable. “It was actually a steal. $100,000 is in line with what hackers are asking from other companies as well.”

Today’s cybersecurity and information security landscape has been shaped by Equifax considerably and other major hacks, which leaked extremely critical personal identification information, like Social Security numbers. With a recent history of horrendous security, the supply has flooded the market, driving down prices.

“It’s simple economics,” said Agarwal, “When SSNs were getting hacked a decade ago, it was like $100 per social. But at the end of 2009, it came down to pennies.”

With sensitive data like SSNs and “fresh” credit card information floating about the dark web, a breach of phone numbers and email addresses becomes fairly devalued, making ransom or blackmail an easy choice for hackers.

Ransom can turn into blackmail

Both Agarwal and Larry Johnson, a former Secret Service special agent and CEO at cybersecurity firm CyberSponse, told Yahoo Finance that paying a ransom is a dangerous game.

Uber “made a mistake by paying a ransom,” said Johnson. “It’s almost never going to be a one-time payment.”

Going down the path of paying ransom instead of telling the authorities and the public, whose data is compromised, gives the hacker significant leverage.

“They get you hooked and know you can never disclose,” said Johnson. “A lot of times organizations get fined millions of dollars by regulators if they didn’t notify within the time period. It’s just not a security issue that it’d been initially.”

The bounty bug defense

The price’s attractiveness isn’t the only thing that makes paying ransoms more palatable to a company dealing with a data thief. There is a possibility of plausible deniability from a public relations standpoint, calling it a “bug bounty.” A bug bounty is the industry term for the prizes hackers who work for cybersecurity consulting firms get when they identify holes in security.

When hackers pinched a “Game of Thrones” episode from HBO, they demanded millions. The company did not comply but wrote in a leaked email, “As a show of good faith on our side, we are willing to commit to making a bug bounty payment of $250,000 to you as soon as we can establish the necessary amount and acquire bitcoin.”

Though security researchers, cybersecurity consultants, and watchful observers know a ransom payment from a bug bounty, the public may buy the narrative.

“It’s PR spin if you think about it,” said Agarwal. “You can call it whatever you want.” In certain situations, it might succeed in re-framing a ransom payment as something else, but it becomes less plausible if a company doesn’t have a history of offering bounties or if personal information was involved.

For its part, Uber hasn’t attempted to spin the hack like HBO, but it’s a tactic that may become part of companies’ damage control repertoire in the future. Especially, as Agarwal notes, people keep paying the ransoms. After each hack, one thing is apparent, cybersecurity consultants have continuously told Yahoo Finance: Many companies do not believe that an ounce of prevention is worth a pound of cure, preferring to risk the fallout from ransom payments and fines than pay for a comprehensive security system.